2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-25 07:23:41 +01:00

Update README.md

This commit is contained in:
Julien Vehent 2014-12-25 13:50:10 -05:00
parent 051f927fcd
commit ac15fc738d

199
README.md
View File

@ -1,51 +1,55 @@
CipherScan
==========
A very simple way to find out which SSL/TLS ciphersuites are supported by a target.
Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations. Cipherscan uses the `openssl s_client` command line to run the tests.
```bash
$ ./cipherscan jve.linuxwall.info
........................
Target: jve.linuxwall.info:443
On Linux x86_64 run: ./cipherscan www.google.com:443
On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
and watch.
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,2048bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,2048bits
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,2048bits
10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,2048bits
12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
13 AES128-GCM-SHA256 TLSv1.2
14 AES256-GCM-SHA384 TLSv1.2
15 AES128-SHA256 TLSv1.2
16 AES256-SHA256 TLSv1.2
17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
18 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
19 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
20 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2
21 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
22 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2
23 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
The newer your version of openssl, the better results you'll get. Versions
of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.
Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.
Build OpenSSL with ChaCha20-Poly1305 support (Optional)
-------------------------------------------------------
The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) and build it like this:
```
./config no-shared
make
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering
```
And get the binary from `app/openssl`. (`./config` will ask you to run `make depend` which will fail - for our purposes this step is not required)
Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the `openssl s_client` command line.
Options
-------
Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the `-o` command line flag.
```
-a | --allciphers Test all known ciphers individually at the end.
-b | --benchmark Activate benchmark mode.
-d | --delay Pause for n seconds between connections
-D | --debug Output ALL the information.
-h | --help Shows this help text.
-j | --json Output results in JSON format.
-o | --openssl path/to/your/openssl binary you want to use.
-v | --verbose Increase verbosity.
```
Examples
--------
Example
-------
Testing plain SSL/TLS:
```
linux $ ./cipherscan www.google.com:443
Basic test:
```bash
$ ./cipherscan google.com
...................
Target: google.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
@ -62,11 +66,14 @@ prio ciphersuite protocols pfs_keysize
13 AES256-GCM-SHA384 TLSv1.2
14 AES256-SHA256 TLSv1.2
15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
18 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
16 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
17 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
18 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 100800
OCSP stapling: not supported
Server side cipher ordering
```
Testing STARTTLS:
@ -108,111 +115,6 @@ $ /cipherscan -j -starttls xmpp jabber.ccc.de:5222
],
"trusted": "False",
"pfs": "DH,1024bits"
},
{
"cipher": "AES256-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "EDH-RSA-DES-CBC3-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "DH,1024bits"
},
{
"cipher": "DES-CBC3-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "DHE-RSA-AES128-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "DH,1024bits"
},
{
"cipher": "AES128-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "RC4-SHA",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
},
{
"cipher": "RC4-MD5",
"protocols": [
"SSLv3",
"TLSv1"
],
"pubkey": [
"2048"
],
"sigalg": [
"sha1WithRSAEncryption"
],
"trusted": "False",
"pfs": "None"
}
]
}
@ -220,7 +122,7 @@ $ /cipherscan -j -starttls xmpp jabber.ccc.de:5222
Analyzing configurations
------------------------
The motivation behind cipherscan is to help admins configure good TLS on their
The motivation behind cipherscan is to help operators configure good TLS on their
endpoints. To help this further, the script `analyze.py` compares the results of
a cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS
and output a level and recommendations.
@ -260,6 +162,11 @@ compatibility level they want to support. Again, refer to
https://wiki.mozilla.org/Security/Server_Side_TLS for more information.
Note on Nagios mode:
`analyse.py` can be ran as a nagios check with `--nagios`. The exit code will
then represent the state of the configuration:
* 2 (critical) for bad tls
* 1 (warning) if it doesn't match the desired level
* 0 (ok) if it matches.
cipherscan can take more than 10 seconds to complete. To alleviate any timeout
issues, you may want to run it outside of nagios, passing data through some
temporary file.